Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

question about browser exploits

more options

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird? (I would assume that would be considered a vulnerability and if it is possible it would be patched immediately, but I also figured that it is better to ask than to "assume.")

Chosen solution

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.

Ler a resposta no contexto 👍 0

All Replies (2)

more options

I would think that they would catch such intrusions. I personally have no such problems my self. wish you good luck and stay safe.

more options

Chosen Solution

4232jl said

If you visit a website with malicious javascript in Firefox (ver. 93), is it possible for the site to access passwords stored in the browser, or typed or stored in Mozilla Thunderbird?

There is at least a theoretical risk to data saved in Firefox (not in Thunderbird), and a corresponding mitigation.

(1) Let's say you saved a login for Site A and you are visiting Site A. If an attacker has figured out how to inject alien scripts into Site A, it is possible for an attack script to draw a (hidden) login form in the page in the hope that your browser will autofill the username and password fields with your login. If it does, then the attack script could read that information out of the form. To avoid this risk, you can turn off autofilling of login forms. In Firefox, that's on the Settings/Preferences page:

With autofill off, any saved login(s) will be suggested in a drop-down so you can fill the form with one click on the drop-down.

(2) If you are visiting a site you have NOT saved a login for, it's very difficult to think of any method an attack script could use to access saved logins. Scripts have a standard set of interfaces they can use to obtain browser information, and there is no interface for reading saved logins.

It's not possible to completely rule out a programming error, of course, so if such a serious vulnerability were to be reported to Mozilla, it likely would be fixed within the usual update cycle (4 weeks) or faster.